email article printer friendly more resources

Safeguard Corporate Information
Don't let wireless access compromise your valuable data.
by Steve Makofsky

For this solution: Microsoft Mobile Information Server 2002, Visual Studio .NET RC 1 or later, Visual Studio Smart Device Extensions, .NET Framework

I recently heard a story about an executive who lost his personal digital assistant (PDA) while on a trip. Although normally this would be a minor inconvenience and a waste of some time—just go out and buy another device—in this case there were some serious repercussions. It turns out this executive had recently used his PDA to wirelessly download e-mail. Unfortunately, that same e-mail contained some rather sensitive company information (like the secret formula for Twinkie filling). And, because there was no password protection turned on, anyone who picked up the device could read the e-mail and get access to the corporate network. So, not only is the company out a few hundred bucks on the lost PDA, it could incur costs in the millions if that information makes its way to the competition. Or, even worse, gets published on the Internet.

Although this example is extreme, it's a true story and evidence that this sort of security breach does happen. When your users download corporate data onto their wireless devices, the data and information on the device becomes more valuable than the device itself. Securing your corporate network data, as well as locking down mobile devices, is incredibly important. If you're involved in the implementation of a mobile strategy, now is a good time to ask yourself a few simple questions: How secure is your data? How educated are your users about security?

Consider .NET Security
Depending on how you're planning to allow your mobile users to access data, you can implement several different types of security on the server. It's important to understand that security changes dramatically (and so do the risks) when you migrate from traditional LAN usage to .NET-enabled mobile data access.

Microsoft Mobile Information Server 2002 (MIS) provides one option for getting data to cell phones and Wireless Application Protocol (WAP) browsers, and it comes with support for a wide variety of Internet standard security mechanisms. You can chose from Internet Protocol Security (IPSec), Secure HyperText Transfer Protocol (HTTPS), Wireless Transport Layer Security (WTLS), Secure Sockets Layer (SSL), and so on. Most phones that support browsing already support WTLS internally, which encrypts data automatically as it's sent to the wireless gateway. The gateway then converts the data to standard HTTPS and HTTP requests over SSL, which MIS Enterprise can use to establish a session over the Internet.